The need for action in cyber defence

Szekér Vivien News 18 June 2024

The battle between the defenders and the attackers has been going on throughout human history - and it is no different in the field of information technology and cyber defence. The last round table of the ITexec 2024 conference, entitled IT security, the eternal magic word, has taken on a difficult task: to gather as much knowledge and experience as possible in a field that is more complex and diverse than ever before. Gábor Marton, Director of the Informatics Directorate of the University of Pannonia, participated in the discussion as an invited guest (Source: itbusiness.hu)

You can't get past NIS2, and perhaps you can't get past it enough: Balázs Agárdy, Senior Manager at Deloitte, who chaired the roundtable, and his guests Krisztián Hári, Head of Security at Yettel, Katalin Korcsok, Deputy Chief Commercial Officer at Delta Systems, Tamás Kós, Director of Operations and Support at Intalion and member of the board of ISACA Hungary, and Gábor Marton, Head of IT Directorate at the University of Pannon, approached one of the "favourite" topics in the IT market from a wide variety of perspectives.

Krisztián Hári, Yettel; Katalin Korcsok, Delta Systems; Tamás Kós, Intalion, ISACA; Gábor Marton, University of Pannonia

Question: where does it start?

Krisztián Hári started by saying that the tasks that the company still has to perform in the context of NIS2 depend largely on the maturity of the IT security framework of the organisation. "Frankly speaking, what NIS2 brings should not be considered as a novelty for any company or organisation," he added. On the positive side, however, he said that NIS2 finally offers a general and mandatory framework that gives companies a kind of "IT security hygiene" and that, if adhered to, can greatly increase the level of cyber security. In addition to technology, the human side should not be overlooked, Katalin Korcsok stressed. Even with the most careful GAP analysis and rigorous tool management, mistakes made by staff or managers pose a huge threat, and this situation is unlikely to change in the future. Therefore, in connection with the implementation of NIS2, training and security awareness at all levels of companies and organisations should not be neglected, in addition to modern, even AI-based solutions.

Friend or foe?

For example, does it make a difference whether, when a fault or an incident is discovered, the disclosure of the problem is perceived as support for the company or, on the contrary, as an attack, an increase in internal tension? This can often be a question even at management level, adds Tamás Kós. But it is important for everyone to be aware of the fact that the biggest IT security exposure is the one we don't know about. These are the biggest threats, whether we are talking about business processes or the operation of public organisations. If we are not aware of our own vulnerabilities, they are a huge source of danger in our daily lives and someone is likely to exploit them. A key driver for IT security investments can be the development of a good leadership culture in the organisation," said Gábor Marton. As the person in charge of operations, it is also very important to know what will really matter if it goes out of business, disrupting the normal day-to-day running of the organisation. You also need to be able to "put a figure on it", i.e. you need to know how much a process or system shutdown will cost the company in quantified terms. Such high priority areas for protection should be identified - preferably before they are successfully attacked - and brought to the attention of the business.

Understand each other's words, bits...

However, it is also essential that the IT security manager understands the language of the business side - and is able to translate the information security situation, problems and strategies into the language of business, added Krisztián Hári. The key to successful cooperation is that the CISO can not only talk about business processes, but also think about them. For companies looking to build successful cyber defences, it is essential that IT steps outside the realm of technology it is familiar with and makes security part of everyday life throughout the organisation. All development must start with security, from the very first conceptual sketches to the full delivery of a project, involving all suppliers, developers, testers and users.

At the same time, it is a common experience that companies, especially at lower levels of IT maturity, are slow to change their own IT security postures. "I'm nobody's target", is a conviction so often expressed, which can only be overridden by the first IT attack that causes significant damage, data and customer loss, and disrupts or interrupts business processes. This is why NIS2 is needed, which, through the power of regulation, will, in the lucky event of an attack, force fundamental security measures, improvements, process assessment and remediation, and of course a change in the mindset of managers, before an attack occurs.